LAN-to-LAN Networks with Digital Certificates

LAN-to-LAN Networks with Digital Certificates

Ordering, enrolling, and installing digital certificates using SCEP was covered in Chapter 14. Once the certificates are installed, two modifications can be made to use the certificates. These modifications should be done in the following order:

Use the Manager navigation to locate the Configuration | System | Tunneling Protocols IPSec | IKE Proposals screen to choose the IKE proposal to be updated to use digital certificates, and then click the Modify button. The Configuration | System | Tunneling Protocols IPSec | IKE Proposals | Modify screen, as shown in Figure 16-11, can be used to update the Authentication Mode to use digital certificates.

Figure 16-11: Update the Authentication mode to use digital certificates

Use the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN screen to modify the existing IPSec LAN-to-LAN connection between the two VPN Concentrators. By selecting the appropriate connection (toTacoma) and clicking the Modify button, the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Modify screen, previously shown in Figure 16-9, can be used to modify the LAN-to-LAN connection IPSec SA to support the digital certificate.The digital certificates drop-down list can be used to select the installed certificate. Then choose between Entire certificate chain or Identity certificate only. Choosing Entire certificate chain sends the identity certificate and all issuing certificates, including the root and any subordinate CA certificates. Choosing Identity certificate sends the peer only the identity certificate.